firewalls protecting against DOS attacks

[hany3]

DOS attacks or denial of service attacks is a large group of attacks with many subtypes
this type of attacks relies on the arp spoofing and simply it does not aim at
actual hacking but its target is to cut the internet service temporarily from the victim's computer "like netcut"

and as i used many firewalls , i alway consider 2 important criteria in the firewall before i pay for it

1st powerful leak testing protection
2nd protection against DOS attacks and flood attacks

and i was surprised that only few firewalls implement DOS protection like

1-outpost firewall
2-comodo firewall
3-lavasoft firewall "same outpost engine"
4-jetico firewall "in the recent versions only
may be also look'n stop

the leaders in DOS attack protection were outpost & lavasoft
but u know how buggy the outpost is
for example inside the local network
any one was trying to use the netcut or arp spoofer
the outpost popup states that some one with the following ip address and MAC address is enumerating users on the local network
or is trying to declares itself as a gateway
and it was efficiently protecting against these kinds of DOS attacks

outpost not only detects the user on the local network who already cut the service using netcut
but also it efficiently detects the user who is just opening the netcut on his pc and enumerating other users on the local network without trying to cut the service

http://img72.imageshack.us/img72/1008/93060053qx2.jpg

but other firewalls even the top rated ones don't provide DOS attacks protection like

1-zone alarm
2-online armor
3-black ice
4-kerio
5- ect......

[fax]

Quote:

Originally Posted by hany3

DOS attacks or denial of service attacks is a large group of attacks with many subtypes
this type of attacks relies on the arp spoofing and simply it does not aim at
actual hacking but its target is to cut the internet service temporarily from the victim's computer "like netcut"

and as i used many firewalls , i alway consider 2 important criteria in the firewall before i pay for it

1st powerful leak testing protection
2nd protection against DOS attacks and flood attacks

and i was surprised that only few firewalls implement DOS protection like

1-outpost firewall
2-comodo firewall
3-lavasoft firewall "same outpost engine"
4-jetico firewall "in the recent versions only
may be also look'n stop

the leaders in DOS attack protection were outpost & lavasoft
but u know how buggy the outpost is
for example inside the local network
any one was trying to use the netcut or arp spoofer
the outpost popup states that some one with the following ip address and MAC address is enumerating users on the local network
or is trying to declares itself as a gateway
and it was efficiently protecting against these kinds of DOS attacks

outpost not only detects the user on the local network who already cut the service using netcut
but also it efficiently detects the user who is just opening the netcut on his pc and enumerating other users on the local network without trying to cut the service

http://img72.imageshack.us/img72/1008/93060053qx2.jpg

but other firewalls even the top rated ones don't provide DOS attacks protection like

1-zone alarm
2-online armor
3-black ice
4-kerio
5- ect......

Hi!
just a point of clarification... are you talking about external attacks or attacks within a LAN?

From your description is just within a LAN attacks... whatever protection you apply, if you give freedom of movements to PCs in a LAN there is always a way to cause disruption...

So, the issue (IMO) is not having a good firewall but to set up properly PCs in a LAN (e.g. limited accounts)

If you are talking about external attacks, I am afraid that whatever firewall you have they can disrupt your connection depending on the volume of flooding you get.

ARP poisoning and similar issues were already discussed extensively here... just use the search function.

Cheers,
Fax

[Stem]

Quote:

Originally Posted by fax

So, the issue (IMO) is not having a good firewall but to set up properly PCs in a LAN (e.g. limited accounts)

In many setups, that is not possible. There are many on shared untrusted LAN`s, such as at college, or even as myself (and many others), on an ISP LAN.

[Diver]

I believe 8Signs has DOS protection.

[Stem]

Hi hany3, Welcome to Wilders,

Quote:

Originally Posted by hany3

outpost not only detects the user on the local network who already cut the service using netcut but also it efficiently detects the user who is just opening the netcut on his pc and enumerating other users on the local network without trying to cut the service

The default settings within outpost do need to be changed to make such interceptions (as I mentioned here)

Outpost will see a node that is making many requests, as this is a sign of scanning, therefore scanning is a possibility for an attack. But as I have mentioned (on the above linked post), the actual gateway could also be seen as scanning, so caution is needed, as the gateway could be blocked.

[fax]

Quote:

Originally Posted by Stem

or even as myself (and many others), on an ISP LAN.

You mean you have colleagues doing DOS to your machine?

Fax

[Stem]

Hi Diver,

Quote:

Originally Posted by Diver

I believe 8Signs has DOS protection.

There are many forms of "DOS", some can be prevented simply by hardening the OS.

Such as a DOS attack against your bandwidth (where a sustained attack from inbound packets is made), then there is no (on host) protection from that. We see reports on such attacks where servers are down for hours/ days

[Stem]

Quote:

Originally Posted by fax

You mean you have colleagues doing DOS to your machine?

Fax

LOL, No, I mean what I posted.

[fax]

Quote:

Originally Posted by Stem

LOL, No, I mean what I posted.

Yep, sorry for the bad joke

Fax

[Stem]

Quote:

Originally Posted by fax

Yep, sorry for the bad joke

Fax

I think the bad joke is how software firewalls take more time with leak prevention than packet filtering.

[fax]

Quote:

Originally Posted by Stem

I think the bad joke is how software firewalls take more time with leak prevention than packet filtering.

Leak prevention is more 'sexy' and sells more than packet filtering
By the way, what is this 'packet filtering'

Fax

[Stem]

Quote:

Originally Posted by fax

By the way, what is this 'packet filtering'

A few firewall vendors probably ask that

Quote:

Originally Posted by Stem

A few firewall vendors probably ask that

Or have been asked and don't respond to the question

[Long View]

Hardware Firewall Routers are hardly expensive these days and they all seem to say they have DOS protection on the box. Is there a reason why some still stay with a basic modem ?

[Stem]

Quote:

Originally Posted by Long View

Hardware Firewall Routers are hardly expensive these days and they all seem to say they have DOS protection on the box. Is there a reason why some still stay with a basic modem ?

It is for me a question of what DOS protection is in place.
Please show me a firewall vendor that shows DOS protection, then we need to look for the "Type" of DOS protected from. We can then debate this.

[Long View]

Quote:

Originally Posted by Stem

It is for me a question of what DOS protection is in place.
Please show me a firewall vendor that shows DOS protection, then we need to look for the "Type" of DOS protected from. We can then debate this.

You might be able to debate this but I have no idea what it all means. Today I saw a Router Firewall made by Buffalo which made reference to DOS on the box.
I use an old Netgear DG834 and the help files say things like
"With SPI, the router looks at individual packets for patterns similar to known hacker techniques, such as Denial of Service ( DoS ) attacks......" Is this all BS or do these boxes provide any protection ? As a home user am I likely to be attacked ?

[Stem]

Quote:

Originally Posted by Long View

You might be able to debate this but I have no idea what it all means.

Sorry, maybe "Debate" was incorrect for me to say. I should of said, I will try to explain these with open discussion.

Quote:

Originally Posted by Long View

Today I saw a Router Firewall made by Buffalo which made reference to DOS on the box.
I use an old Netgear DG834 and the help files say things like
"With SPI, the router looks at individual packets for patterns similar to known hacker techniques, such as Denial of Service ( DoS ) attacks......"

Basically they will attempt to put forward that unsolicited, or simple spoofed packets are dropped. Yes, these can be used to DOS, but the protection I see is very basic and is only protection from such as scans (which most software firewalls will do) with possible follow up (see below)

Quote:

Originally Posted by Long View

Is this all BS or do these boxes provide any protection ?

To say it is BS would be incorrect without them actually putting forward full disclosure of the protection they have in place against a shown attack.

Quote:

Originally Posted by Long View

As a home user am I likely to be attacked ?

Very unlikely, the only possibility is if you use server software, as this can cause attention.

Do be aware, that DOS attacks againt home users are made against open ports(Application layer), as these are actually made against the way the OS processes these.
If you are simply running with all ports closed(or stealthed) then such bypass is very rare, as the only attack possibility is against the ports used while you are online, and a good packet filter firewall will protect from the spoofed/bad/malformed inbound on these ports.

NOTE: I am only looking at Application layer on this reply

Apparently there is a difference between "home router" SPI protection and "commercial router" SPI protetcion, with the commercial router incorporating much better SPI. I don't know but it would not surprise me. After all, you usually get what you pay for. Is too much, perhaps, being expected from cheap home routers or basic pc firewalls?

[Diver]

@Stem

What sort of OS hardening did you have in mind for protecting against DOS? How would you do these things on XP or 2003?

[Stem]

Quote:

Originally Posted by Diver

@Stem

What sort of OS hardening did you have in mind for protecting against DOS? How would you do these things on XP or 2003?

Have a look at Harden-it

http://www.sniff-em.com/hardenit.shtml

[Long View]

Stem - thanks - very interesting. If there is a "better" hardware Firewall that, as a home user (no site, no server software), I could buy I would be interested in doing so. Any software solutions would have to have no or minimal performance impact for me to be interested. For nearly a year now I have operated with nothing but the Netgear - ie no software firewall, no av real time, no as realtime, no hips and so on. I made these changes following 11 years of trying almost every program that came a long. For the first 10 years or so I thought these programs were protecting me in so mysterious way but eventually realized that although they were very good false positive collectors no one seemed to be attacking me nor sending me spyware viruses etc.

Every so often I install an on demand program to check and find nothing. If there is a favorite program that anyone recommends I will be happy to check.

Anyway my only real concern had been how good is the firewall - but after a year on nothing I'm starting to think that my sort of user is of no interest to the bad boys ?

[hany3]

hii all my friends in the forum
thanx for your valuable replies
i appreciate all of them
so i am a member of many security forums
but i finally decided to join this famous forum

{snip - let's leave the discussion of activity of other forums at those other forums, no need to raise it here - Blue}

any way , back to dos attacks


1- i think many users are liable to dos attacks
me , as a member of a commercial wireless network
i am always subjected to that kind of attacks from other users within the wireless lan
and i think it is wonderfull job of the firewall to know the ip address and the mac address of the computer that is trying to cut the net from my pc ,even if it couldn't protect me from such denial of service attacks

2- sure the outpost and lavasoft should be configured to be able to detect users who are just enumerating other lan hosts , can't be done on default configuration

3- sometimes the respond of the firewall "outpost" to such dos attacks is to block the intruder as well as the original gateway , so finally the firewall protect the victim's pc from spoofing by blocking the gateway which result in actual cutting of the net service so it protect cutting the net bu cutting the net

the main difference is not the the attacker who cut the net
but it's the firewall itself
but same result u will get


4-many of the current firewalls don't protect against dos attacks , and it's so strange . they are interesting in leak protection and leave a security hole like this
foe example i did a thread in online armor forum requisting such feature



by the way i'm a member in outpost , lavasoft , comodo , online armor and many other rirewall forums
under the same name


thanks all
cheers


Dr. Hany Samir

[Stem]

Hi Long View,

Quote:

Originally Posted by Long View

Anyway my only real concern had been how good is the firewall - but after a year on nothing I'm starting to think that my sort of user is of no interest to the bad boys ?

If your setup is working for you, then there is really no need to change it.

[Stem]

Quote:

Originally Posted by hany3

i am always subjected to that kind of attacks from other users within the wireless lan

It does depend on if the attacks are successful.
Do you place a static ARP entry into the cache for the gateway?

[hany3]

Quote:

Originally Posted by Stem

It does depend on if the attacks are successful.
Do you place a static ARP entry into the cache for the gateway?

yes somtimes it's successful
although i enter a static gateway in the lan settings
i make my gateway static not a dynamic one to protect it from being falely changed by another user using the netcut , winarp spoofer , switch sniffer or any other spoofing software